Corporate boards are deepening their involvement in company strategy and refining their oversight of the critical risks facing the company – but there is still work to be done if companies are to meet the challenge set by the 2014 UK Corporate Governance Code according to a new survey from KPMG’s Audit Committee Institute.
Compliance with the Code guidance on risk management and internal control requires inter alia that boards make a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy. However, while many UK audit committee members said their board had increased its involvement in strategy formulation (67 percent), monitoring strategy execution (62 percent) and focus on technology issues including cyber security (51 percent), only half (51 percent) were satisfied that risk and strategy were effectively linked in boardroom discussions.
“The complexity and global volatility that we’re seeing — swings in commodity prices and currencies, a decelerating China, uncertainty in geopolitical hotspots, technology innovation, and disruptive business models — are clearly impacting the board’s involvement in strategy and risk,” said Timothy Copnell, chair of the UK Audit Committee Institute. “But there is a danger that many boards are seeing risk management as a ‘bolt-on’ exercise which potentially leaves them exposed to the strategic risks that could affect the company as well as its long term viability.”
Despite the increased focus on cyber security and technology risk as a critical business priority, 39 percent of UK respondents said the full board should be devoting more attention to cyber risk; and the adequacy of cyber and technology expertise – via third parties and/or on the board – continues to be a concern.
Copnell commented “Unfortunately, there remains a dearth of cyber and wider technology expertise on boards. 50 percent of UK respondents recognise this need very well, but the risk and opportunities are so large, someone on the board has to know the right questions to ask and be in a position to understand the answers.”
The survey responses, from more than 100 senior UK audit committee members (and over 1000 directors worldwide), suggest that while many boards are clearly stepping up their game, significant challenges remain, including linking strategy and risk, more clearly defining risk appetite and addressing the growing risks associated with cyber security and technology.
Among the key findings are:
- Boards continue to deepen their involvement in strategy, including execution. Some 88 percent of UK survey respondents said the board has deepened its involvement over the past two to three years; in the formulation of strategy and consideration of strategic alternatives, monitoring execution, devoting more time to technology issues (including cyber security), and recalibrating strategy as needed.
- Effectively linking strategy and risk continues to elude many boards. Only 51 percent of UK survey respondents are satisfied that strategy and risk are effectively linked in the boardroom discussions. Risk-related decisions, many said, would be most improved by more closely linking strategy and risk, as well as having a more-clearly defined risk appetite, better assessment of risk culture, and giving greater consideration to the ‘upside of risk taking’ (versus risk avoidance).
- Better risk information and access to expertise are (still) top of mind. Many boards have recently taken steps - or at least discussed ways — to strengthen their oversight of risk, mainly by improving risk-related information flowing to the board, but also by hearing more independent views and refreshing the board/recruiting expertise, coordinating (and reallocating) risk oversight responsibilities among the board’s committees, and/or changing the board’s committee structure. Six years after the Walker review into the governance of UK banks, 26 percent of those surveyed are still looking for ways to combat asymmetric information risk – the over reliance on management as the prime source of information.
- Cyber security may require deeper expertise, more attention from the full board, and potentially a new committee. Deeper technology expertise on the board and greater use of third-party expertise would most improve the board’s oversight of cyber security, survey respondents said. Also, despite cyber issues rising up the board agenda in recent years, almost 40 percent of UK respondents said cyber security needs even more of the board’s time.
- Oversight of key strategic and operational risks could be more-effectively communicated among the board and its committees. Nearly 40 percent of UK survey respondents cite room to improve the communication and coordination among the full board and its committees on oversight of the company’s key strategic and operational risks — eg, strategy, CEO succession, talent, regulatory compliance, cyber security and emerging technologies, and supply chain issues.
KPMG’s survey, ‘Calibrating Strategy and Risk,’ is available here.